Using SSH public key authentication
You can use InsightVM to perform credentialed scans on assets that authenticate users with SSH public keys. This method, also known as asymmetric key encryption, involves the creation of two related keys, or large, random numbers:
- a public key that any entity can use to encrypt authentication information
- a private key that only trusted entities can use to decrypt the information encrypted by its paired public key
When generating a key pair, keep the following guidelines in mind:
- The application supports SSH protocol version 2 RSA, DSA, ECDSA, and Ed25519 keys.
- RSA keys can range between 768 and 16384 bits.
- DSA keys must be 1024 bits.
- ECDSA keys must be 256, 384, or 521 bits.
- Ed25519 keys are 256 bits and can not be altered.
- Keys must be in
openssh-key-v1
format or in PEM format.
Supported SSH key exchange algorithms
Below are SSH key exchange algorithms that are supported. Your assets need to be configured with at least one of these algorithms in order for the SSH public key credentials to be successful.
- curve25519-sha256
- diffie-hellman-group14-sha1
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group1-sha1
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
This article provides general steps for configuring an asset to accept public key authentication. For specific steps, consult the documentation for the particular system that you are using.
The ssh-keygen
process will provide the option to enter a passphrase. It is recommended that you use a passphrase to protect the key if you plan to use the key elsewhere.
Generating a key pair
- Run the
ssh-keygen
command to create the key pair, specifying a secure directory for storing the new file.
This example involves a 2048-bit RSA key and incorporates the /tmp
directory, but you should use any directory that you trust to protect the file:
1ssh-keygen -t rsa -b 2048 -f /tmp/id_rsa
This next example generates the key in PEM format:
1ssh-keygen -t rsa -b 2048 -m PEM -f /tmp/id_rsa
This command generates the private key files, id_rsa
, and the public key file, id_rsa.pub
.
- Make the public key available for the application on the target asset.
- Make sure that the computer with which you are generating the key has a
.ssh
directory. If not, run themkdir
command to create it:
1mkdir /home/[username]/.ssh
- Copy the contents of the public key that you created by running the command in step 1. The file is in
/tmp/id_rsa.pub
file.
Root access note
Some checks require root access.
Append the contents on the target asset of the /tmp/id_rsa.pub
file to the .ssh/authorized_keys
file in the home directory of a user with the appropriate access-level permissions that are required for complete scan coverage.
1cat /[directory]/id_rsa.pub >> /home/[username]/.ssh/authorized_keys
- Provide the private key.
After you provide the private key, you must provide the application with SSH public key authentication.
Providing SSH public key authentication
If you want to add SSH credentials while configuring a new site, click the Create site button on the Home page.
OR
Click the Create tab at the top of the page and then select Site from the dropdown list.
If you want to add SSH credentials for an existing site, click that site's Edit icon in the Sites table on the Home page.
- Click the Authentication tab in the site configuration.
- Click Add Credentials.
- In the Add Credentials form, enter a name and description for a new set of credentials if necessary.
- Click Account under Add Credentials.
- Select Secure Shell (SSH) Public Key as the from Service dropdown list.
Default file information
ssh/authorized_keys
is the default file for most OpenSSH and dropdown-based SSH daemons. Consult the documentation for your Linux distribution to verify the appropriate file.
Be aware that this Secure Shell (SSH) Public Key authentication method is different from the method listed in the dropdown menu as Secure Shell (SSH). This latter method incorporates passwords instead of keys.
- Enter the appropriate user name.
- (Optional) Enter the Private key password used when generating the keys.
- Confirm the private key password.
- Copy the contents of that file into the PEM-format private key text box. The private key that you created is the
/tmp/id_rsa
file on the target asset. - (Optional) Elevate permissions to sudo or su. You can elevate permissions for both Secure Shell (SSH) and Secure Shell (SSH) Public Key services.
- (Optional) Enter the appropriate user name. The permission elevation user needs to be set to
root
. To do this, the user's permission elevation type needs to be set tosudo
and the permission elevation user needs to be set asroot
. - The user name can be empty for
sudo
credentials. If you are usingsu
credentials with no user name, the credentials will default toroot
as the user name.
If the SSH credential provided is a root
credential, user ID = 0, the permission elevation credentials will be ignored, even if the root
account has been renamed. The application will ignore the permission elevation credentials when any account, root
or otherwise named, with user ID 0 is specified.
- When you have finished configuring the credentials, click Create if it is a new set, or Save if it is a previously created set.